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Abstract 

We introduce a simple tool that can be used to reduce non-injective instances of the 
hidden shift problem over arbitrary group to injective instances over the same group. 
In particular, we show that the average-case non-injective hidden shift problem admit 
this reduction. We show similar results for (non-injective) hidden shift problem for bent 
functions. We generalize the notion of influence and show how it relates to applicability 
of this tool for doing reductions. In particular, these results can be used to simplify 
the main results by Gavinsky, Roetteler, and Roland about the hidden shift problem for 
the Boolean-valued functions and bent functions, and also to generalize their results to 
non-Boolean domains (thereby answering an open question that they pose). 
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1 Introduction 

After Shor's discovery of an efficient quantum algorithm for factoring and the discrete 
log problems, research on the hidden subgroup problem (HSP) attracted many scholars 
in the field [2]. HSP is a framework which includes factoring and the discrete log in 
itself [3] . Despite the early success in finding a solution for the abelian HSP, achieving a 
similar result has proven to be hard for the non-abelian case |3J. HSP is important since 
solutions for it over the dihedral group and the symmetric group will yield solutions to 
some lattice problems and graph isomorphism respectively [4| [6] [7] . In both cases, we 
have a non-abelian instance of HSP. 

The hidden shift problem (also known as the hidden translation problem) was defined 
in the works of 8 , 9 . Interesting problems can be stated as a hidden shift problem, most 
notably this includes hidden subgroup problem over dihedral group, which is equivalent 
to the hidden shift problem over Zjv, and graph isomorphism, which can be cast as a 
hidden shift problem over S n [101 1111 [12] . The study of the hidden shift problem can 
give an arguably more natural view to tackle the graph isomorphism problem 12 . 

In the injective hidden shift problem, we are given two injective functions over some 
group G that are simply a shifted version of each other. The task is to output such a 



shift. More formally, let /, g : G — > S be two injective functions such that, for some 
unique s 6 G, it holds that 

f(x) = g{sx) for all x G G. (1) 

The goal is to find the hidden shift s. 

Relaxing the requirement for the functions to be injective, will lead to a variant of the 
problem. We call this new problem, the non-injective hidden shift problem. We restrict 
the problem to the instances with non-periodic functions, so that the hidden shift will 
be unique. 

By lower bounds on the query complexity of the unstructured search problem, a worst 
case solution to the non-injective hidden shift problem cannot be obtained [17) . Imposing 
restrictions on the instances makes the non-injective hidden shift problem more tractable. 
In particular, in this paper, we are concerned with the average case non-injective hidden 
shift problem and also the hidden shift problem for bent functions. 

The non-injective hidden shift problem has been studied for a variety of functions. Ef- 
ficient quantum algorithm for solving the hidden shift problem when / : Z p — > { — 1,0,1} 
is the Legendre symbol is presented in the work by van Dam et al. [8]. They also gave 
a reduction to the injective case based on a conjecture in [7] that any string formed 
by I subsequent values of / is unique where / > 2 log 2 p. Gavinsky et al. gave an effi- 
cient quantum algorithm in [I] for solving the hidden shift problem for the average case 
Boolean functions / : ZJ — >■ Z2. Ozols et al gave another quantum algorithm for the 
Boolean hidden shift problem based on a quantum analogue of the rejection sampling 
defined in their paper |13) . Roetteler gave an efficient quantum algorithm in [14] for 
solving the hidden shift problem for several classes of the so-called bent functions. Later 
in [T] , the hidden shift problem for all bent functions was solved as a special case of their 
algorithm. Bent functions are the Boolean functions f(x) : ZJ — > 1*2 for which applying 
Hadamard transform to the function f'(x) := (— 1)^W will yield Fourier coefficients of 
equal absolute value [15 . A complete characterization of bent functions seems to be a 
subtle task. However, it can be shown that bent functions do not exist for values of n that 
are odd [13] • For large enough values of n that are even, bent functions are guaranteed 
to exist and their count is at least Q ^2 2 +1//2 (n/2)^ [16\ . 

1.1 Our results 

In the next section, we introduce a framework that we call injectivization. We show 
that this tool can be used particularly for reducing the average case non-injective hidden 
shift problem for functions from any abelian or non-abelian group G to any finite set to 
the injective hidden shift problem over the same group. Also, it can be used to reduce 
the (non-injective) hidden shift problem for bent functions to the injective hidden shift 
problem over the same group (which is Z2 ). We relate the applicability of this tool to a 
generalized notion of influence of the function. 

These results about the hidden shift problem for the average case Boolean functions 
and bent functions and the relation to the function's influence simplify the main result 
in [T] . We show that the Boolean hidden shift problem and the hidden shift problem for 
bent functions both reduce to Simon's problem since the injective hidden shift problem 
over Z2 admits a straightforward reduction to Simon's problem. Furthermore, these 
results answer an open question they ask, whether their methods can be generalized and 
adapted for the case of non-Boolean functions, as well. We do not use the methods in 
PQ, but using our own method, we generalize the results in [T] to functions whose range 
are arbitrary sets and are defined over groups of form Z, with q a constant prime power. 
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2 Injectivization 



Injectivization is a process making it possible to transform two given non-injective func- 
tions defined over an arbitrary finite group into two injective functions defined over the 
same group while preserving the shift structure between them. The framework that we 
describe below is a way of constructing an injectivization process. 

In this paper, we use G to refer to an arbitrary finite group and S to refer to an 
arbitrary finite set. We denote the fc-th component of an m-tuple V £ G m with Vk- 

The injectivization's input and output are specified in the following way: 

• Input: any function / : G — > S and an m-tuple V G G m , 

• Output: function fy : G — > S m constructed in the following way: 

fv(x) := (f(xvi), f(xv 2 ), f{xv m )) . (2) 
We say injectivization succeeds if fy is injective; otherwise it fails. 



2.1 The average case non-injective hidden shift problem 

To show that injectivization fails only with small probability when the input function 
/ : G — ¥ S is chosen uniformly at random, in Theorem 1 we show that the probability 
of a collision (i.e., the existence of x,y S G such that fv(x) — fv{y)) is small if V has 
distinct components. Note that random variables fv(x) and fv(y) are not necessarily 
independent. We slightly abuse the definition of the non-injective hidden shift problem 
in Theorem 1 and Corollary 2. We make no promise that functions are not periodic. 

Theorem 1: For arbitrary V £ G m with distinct components and for uniformly random 

\G\ 2 

function / : G —¥ S the probability that fy is not injective is at most — \m/2~\ ' 

Proof: We will show that, for any distinct x and y in the domain, Pr[fv(x) = fv(y)] < 
1/ 15*1 T" 1 / 2 ! and then the result follows from the union bound. 

Let x and y be any two points in the domain of the function. If all of the components 
of (xvi, XV2, . . . , xvm) and (yvi,yv2, . . . , yv m ) are distinct then it is clear that equality 
in each component is independent, so Pr[fv(x) — fv(y)] = 1/ |S| m . However, the 
components need not all be distinct in which case there can be dependencies among 
components. To illustrate, consider the case where G = Z£ , \S\ =2 and m = 2. We use 
additive notation temporarily. If x = Vi and y = V2 then (x + vi , x + v-2 ) = (0, v\ © W2) 
and (y + vi,y + V2) = (v2 ffi vi, 0), so a collision in the first component implies a collision 
in the second component. Therefore, the probability of the collision fv(x) — fv(y) is 
1/2 rather than 1/4. 

To address the general case, consider a maximal chain of dependencies: 



xvji = yVj 2 
xv j2 = yv ]3 

xv jr = yv Jr+1 . (3) 

If j r +i = ji then we have an r-cycle (the above example is a 2-cycle)(Fig. [l]). Collisions 
in components J2, - ■ ■ ,jr of fv(x) and fv(y) occur independently; however if all these 
components collide, a collision in the component ji is implied (Fig. [2]). Therefore, the 
probability of a collision among components j\ , . . . , j r is 1/ | S\ 1 ~ 1 . If , on the other hand, 
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the chain is not cyclic then the probability of a collision among components ji, ■ ■ ■ , jV+i 
is l/\S\ . Since all maximal chains of dependencies are disjoint, the probability of 
fv{x) = fv(y) is the highest when there are m/2 2-cycles, when it is 1/ \S\^ m ^ 2 ^ (Fig. 
[§)■- 

/Oil) f(yv j2 ) f(yv j3 ) ■■■ f(yv jr ) 




f(xv h ) f(xv j2 ) f(xv j3 ) ■■■ f(xv jr ) 



Figure 1: Components are shown with vertices and equal components are connected 
with an edge. 



fiyvji) f(v v h) fiv v h) ■•■ f{v v 3r) 




f{xv h ) f(xv h ) f(xv h ) ■■■ f(xv jr ) 



Figure 2: Components are shown with vertices and equal components are connected 
with an edge. Dashed lines show the collisions. 

It is not hard to show that injectivization preserves the shift. More formally, pick an 
arbitrary V G G m where m is any positive integer. Pick functions f,g : G S. For 
any s £ G, it holds that f(x) — g(sx) for all x € G if and only if fv(x) = gv(sx) for all 
x £ G. Furthermore, given oracles for /, g, it is straightforward to simulate a query to 
fv and gv efficiently, in both quantum and classical regime. Using these and Theorem 
1, we obtain the following corollary. 



Corollary 2: Injectivization, when it succeeds, reduces an instance of the non-injective 
hidden shift problem /, g : G — > S to an instance of the hidden shift problem fv,gv '■ 
G — > S m where m is the number of V's components. Injectivization fails with probability 

G| 2 

at most F — over the uniform random choice of f . 

igirm/21 1 

Theorem 1 specifies an upper bound on the failure rate of the injectivization process 
when the function / is chosen uniformly at random. Injectivization process always fails 
when the input function is periodic since the output function also will be periodic. As a 
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>h) f{yv j2 ) 



f(yv j3 ) f(yv j4 ) 



f{yv. 




'jr-i) f(y v jr) 




f(xv 



'h) f( xv h) 



f{xv h ) f(xv j4 ) 



f(xu 



'jr-l) f( XV jr) 



Figure 3: Components are shown with vertices and equal components are connected 
with an edge. Dashed lines show the collisions. 

result, the failure rate when / is a uniformly and randomly chosen function in Corollary 
2 is also an upper bound on the failure rate when / is a non-periodic uniformly and 
randomly chosen function. Using this and Corollary 2, the following corollary is trivial 
for polynomially large m: 

Corollary 3: Let V S G m be composed of m distinct components. Having m > 
(4 + e) log|5| \G\ with an arbitrary constant e > 0, an instance of the non-injective hidden 
shift problem f,g:G-^Sis reduced to an instance of the hidden shift problem fv,gv '■ 
G — > S m with extremely high probability (asymptotically) over the uniform random 
choice of the non-periodic function /. 

Theorem 2 in pQ states that by the algorithms in jT|, an average case exponential sep- 
aration can be achieved. This result can be simplified by reducing the Boolean hidden 
shift problem to Simon's problem [18] : 

Corollary 4: The average case Boolean hidden shift problem reduces to Simon's problem 
using injectivization over f,g : Z£ — ¥ {0,1} and then constructing the blackbox in 
Simon's problem h : Z% +1 — > {0, l} m in the following way: 



Gavinsky el al. posed an open question in 1] whether the methods they have used for 
solving the hidden shift over Z% for the Boolean functions can be generalized and adapted 
for the case of non-Boolean functions. We have not used the method in [T], but we can 
say that using injectivization, as described above, we can reduce the average case non- 
injective hidden shift problem over Z£ to Simon's problem. Since in Simon's problem, 
it is not important for the functions to have range in binary strings, our functions need 
not be binary and they can have range in any finite set S. Furthermore, considering the 
domain to be the group Z™ with q > 3 a constant prime power, using injectivization, we 
can reduce the problem to the already solved injective case [9l HQ] . 

2.2 Relation between the hidden shift problem and influ- 
ence over the functions 

We extend the notion of influence to the functions defined over any group G and having 
range in any set S. The influence of v over / : G — > 5* is defined as 7u(/) = Pr x [f(x) ^= 



h(x n x n -i . . . xix ) 



{ 



fv(x n - 1 x n -2 . . . x ), if x„ = 
gv{x n -\x n -2 ■ ■ ■ x ), ifx n = l. 



(4) 
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f(xv)]. When G — Z£ and 5 = {0, 1}, this definition reduces to the conventional notion 
of influence. It is not hard to see that the function / is periodic if and only if for some 
w £ G \ {1}: 7u=0. Thus, the hidden shift problem with underlying functions /, g is 
well-defined if the minimum influence of /, that is, jmin(f) '■= ™™»eG\(i)(7»(/)) is n °t 
zero. 



Theorem 5: For a uniformly at random chosen V £ G m and a function / : G — > 
probability that fv is not injective is at most — X^6g(1 — 7z) m — -^ 2 (1 — Jmin) 



S the 



Proof: Let N denote \G\. We define the matrix An 



according to 



A, 



f(xox ) 
f(x xi) 



f(xix ) 
/{xix-l) 



f(x X N -2) f(x!X N - 2 ) 
/(XQXiV-l) f(x 1 x N _ 1 ) 



f(x N - 2 x ) 

f(x N -2Xl) 



f(x N -!X ) 
f(x N -lXl) 



f(x N ~ 2 XN~2) f(x N -iX N - 2 ) 
f(x N ^ 2 X N ~l) /(Xiv-l^jv-l). 



(5) 



where xq,x\,X2, ■ ■ ■ ,xm-i is an enumeration of elements of G in an arbitrary order. 

For any two fixed and distinct rows i,j, the probability that their fc-th element are 
equal is exactly 1 — "f^ x -i x when k is chosen uniformly at random. Thus, the probability 
that the strings of m randomly chosen elements are equal is (1 — l( x - 1 x )) m since the 
events are independent. Using union bound, it can be seen that the probability that any 
two strings of the form above are equal for any two distinct rows is at most 



N 



£a-TWs>> m = f £ d 

i6G\{1} 



N 



= ££(1-7.)' 



i<3 



<7V 2 (l- 7ml „) m 

Based on the construction, this is an upper bound on the probability that fv is a non- 
injective function ■ . 



In [T] , the number of queries needed by their algorithm to solve the hidden shift problem 
for functions of form /, g : Z£ — > {0, 1} is shown to be related to the minimum influence of 
/. Interestingly, Theorem 5 relates the success probability of injectivization to the same 
intrinsic feature of the function, that is, the minimum influence. To be precise, we are 
using the generalized notion of influence, but it remains the same for the case of binary 
functions. Hence, this gives an alternative proof that the average case Boolean functions 
can be injectivized when V is chosen uniformly at random, due to a lower bound on the 
minimum influence of the majority of the Boolean functions in [I]. As a special case of 
this, using injectivization, it is possible to efficiently reduce the hidden shift problem for 
bent functions to the Simon's problem. Bent functions have a property called perfect 
nonlinearity, which means that, for any bent function / : — > Z2 and for any non-zero 
v £ Z2, the function f v (x) := f(x) + f(x + v) is a balanced Boolean function [2D]. This 
is equivalent to saying that j v (f) = 7miu(/) = 1/2 for any non-zero v. Using Theorem 
5 and a construction similar to Corollary 4, we have the following corollary: 

Corollary 6: Choosing m > (2 + e)n with an arbitrary constant e > 0, using injectiviza- 
tion, the hidden shift problem for bent functions /, g : Z£ — > Z2 reduces to the injective 
hidden shift problem fv , gv '■ Z2 — > ^2 with high probability (asymptotically) which in 
turn reduces to Simon's problem. 
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3 Classical complexity 

We show that, the classical query complexity of the non-injective hidden shift problem 
when the underlying group is ZJ^ is high in the average case when m is a constant 
number. For proving this bound, we benefit from some of the ideas in Q]. 

First, we define an artificial variant of the non-injective hidden shift problem which 
helps in proving the classical lower bound on the complexity of the average case non- 
injective hidden shift problem. We call this problem, the no-promise non-injective hidden 
shift problem. The only difference in this new problem is that we first pick s £ G and 
oracle g : G — > S. Then the oracle / : G — > S will be constructed according to Q. The 
goal of the problem is to find s given oracles / and g. In this problem, when / and g 
happen to be periodic functions, information theoretically it is not possible to choose the 
right s with certainty among the many possible candidates. 

Similar to IT], queries are made to the pair of functions (/,<?)• This at most doubles 
the number of queries which is not important in the context of query complexity. 



Theorem 7: To solve a uniformly random instance of the no-promise non-injective 
hidden shift problem defined with a solution s £ Z™ and functions f,g:Zq—>S with 

probability at least 1 /2, at least 57 \Pi^J queries are needed when g is a constant number 
and pi is the smallest prime divisor of q. 

Proof: Let q = p* 1 xpjj 2 ■ ■ ■ xjif* be the prime factorization of q where p± < pi < ■ ■ ■ < p t 
holds. Let T\,Ti, . . . , T m be an enumeration of all 1-dimensional subspaces of Z pi . Since 
pi is a prime number, all subspaces have the same number of elements. Furthermore, the 

Pi ~ 1 

only common element between each two subspaces is 0. These two imply m = . 

Pi - 1 

We define the disjoint sets Si = Ti \ {0} for all 1 < i < m. We use the following 
notation: for x £ Z™ , we define x pi € Z pi such that x pi = (x mod pi) where mod pi is 
carried out component- wise. 

As a bonus to the classical computer, we provide a magical bell to it which rings if it 
makes the queries Xi and X2 and it happens that (Xi — X2) P1 and s pi are both in the 
same set Si. If finding in which set s pi lies, proves to be hard, then finding s itself must 
be hard because of an obvious reduction from the latter to the former. 

Without loss of generality, we assume s pi / 0. Let Q k — {X±,X 2 , . ■ ■ ,X k } be the 
places in which the queries are made after k queries. Also, let D be the set of all i's 
for which we know s pi ^ Si according to our queries and the magical bell. The sets 
S\, S2, ■ ■ ■ , S m are disjoint. This gives the important observation that knowing D gives 
no information about the actual set to which s pi belongs. More formally, we have 

Pr[ Spi e S^i D] = — * < . (6) 

m-\L>\ Pi - 1 fe2 

Pi — 1 

Since conditioning on the queries does not provide any information, the best algorithm 
is to just randomly guess the set to which s pi belongs. The best a classical computer 
can do is to eliminate 1 + u) 5- k 2 possible sets after k queries. Hence, to be able to 
find the set to which a pi belongs with probability at least 1/2, it needs to make at least 

f2 [Pl^J queries ■ . 

Theorem 8: To solve the non-injective hidden shift problem for functions /, g : Zg — > S 
with probability at least 1/2 + e classically, Q (p"^ 2 ) queries are needed in the average 



7 



case, when e > is an arbitrary constant. 



Proof: The probability that / is periodic is very small. More formally, for any fixed 
non-zero r G Z™, it holds that 

Pr[f(x + r) = f{x) for all x] < (7) 

where the probability of the event is the highest when the order of r is 2. Hence, by 

<T 

the union bound, the probability of having a periodic function is at most „ . which 

\S\ q 

is double exponentially small. This implies that the number of periodic functions is at 

most R :— N- — , „ ,„ where N := \S\ q denotes the total number of functions. 
\S\i > 2 

As the name suggests, adding the promise that the functions are non-periodic makes 
the no-promise non-injective hidden shift problem the same as the injective hidden shift 
problem in definition. Since the number of periodic functions is negligible, the uni- 
form probability distribution over the whole language, U, is extremely close in variation 
distance to the uniform probability distribution over non-periodic functions, V. More 
formally: 

w-v\\ = Iy: m*) - <l(w- mjfhn ~^ + §) = §- (8) 

xeL v ' 

Using Theorem 7, it implies immediately that there should not exist a probabilistic 

classical Turing machine that makes less than SI ^f>" / ' 2 ^ queries and solves a uniformly 

random chosen instance of the non-injective hidden shift problem with probability at 
1 R 

least - + — , otherwise we could use this Turing machine to violate Theorem 7 ■ . 



4 Conclusion 

We developed a framework called injectivization which can be used for reducing some 
instances of the non-injective hidden shift problem over any group to the hidden shift 
problem for injective functions over the same group. In particular, we showed that this 
process succeeds, when we have an average case instance of the non-injective hidden 
shift problem and also when the underlying function is bent. We related the success 
probability of this process to a generalized notion of influence. In addition, we simplified 
the main result of p] and also used this framework to address an open question of [l] by 
generalizing their results to the hidden shift problem for functions /, g : — > S where 

5 is an arbitrary set and q is a constant prime power. We also proved that the average 
case classical complexity of this problem for any constant q is high. 
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